Partition and recovery of a verifiable digital secret

ABSTRACT

Techniques and systems for protecting verifiable digital secrets such as encryption keys and identification codes based on partition and recovery processes are described. Implementations of the present techniques may be used, for example, to offer individuals a personalized tool for protecting secret data and to provide enhanced security. The partition and recovery may be carried out at the same computer or on separate computers.

This application claims the priority of U.S. provisional patentapplication No. 60/510,443 entitled “PARTITION AND RECOVERY OF A SECRET”and filed on Oct. 10, 2003, the entire disclosure of which is consideredpart of and is incorporated by reference as part of the disclosure ofthis application.

TECHNICAL FIELD

This application relates to digital security techniques, devices, andsystems and to secret data protection for security functions incomputers, computer systems and networks, and other information andcommunications systems and networks.

BACKGROUND

Many information systems such as computer networks use secret data toperform security functions which include but are not limited to entityauthentication, data encryption or decryption, communication integrityprotection, and other security services. For example, passwords or PINs(Personal Identification Numbers) are common secret data as an input toauthenticate a user. Chosen by owners or authorized users, passwords andPINs are probably among the earliest types of secret data used insecurity services. Those human-chosen secrets are generally consideredweak secrets, because such secrets are often guessable and thus arevulnerable to several known attacks, particularly in the environment ofthe Internet or other computer networks. It is generally recognized thatuse of human-chosen secrets alone may not be sufficient to successfullyperform security services in many circumstances. Accordingly, otherforms of secret data may be further required for security services.Examples of secret data that are not chosen by users include but are notlimited to private keys used in a Public-Key Infrastructure (PKI)environment, vendor-provided PINs—long PINs—used for authenticating abank account or a membership, vendor-provided decryption keys fordeciphering scrambled information contents, secret keys of symmetriccryptography for generating Message Authentication Codes (MACs), sessionkeys for keeping message confidential during a communication session,and other secret information. Such secrets are not chosen by users andare usually generated by computer codes. Secrets of this type arehereafter referred to as computer-generated secrets. Protection of boththe computer-generated secrets and the human-chosen secrets isincreasingly important and is becoming increasing difficult on theInternet and computer networks in general.

Computer-generated secrets for security services usually include moredata bits than a user chosen secret does and often present no semanticmeanings to human beings. Due to this lack of semantic meaning, it isgenerally difficult if not impossible for a person to memorizecomputer-generated secrets. Therefore, there exist two needs withdifferent orientations. There is a human need for using user chosensecrets like passwords; on the other hand, there is a system need forusing computer-generated secrets like cryptographic keys. In the pastdecades of the Internet era, many solutions were developed to meet bothneeds in an information system. A solution is acceptable only if itsecurely protects both the computer-generated secret and thehuman-chosen secret.

In one approach, a computer-generated secret is generated, regeneratedor recovered at a client by accepting human-chosen secret data and withthe assistance of other computing facilities connected to the clientthrough the network. In this context, a client is a network station ordevice that is capable of performing computational task andcommunicating with other network stations or devices. Othernetwork-connected computing facilities to assist a client are referredto as servers.

Various solutions for adopting the server-assistance approach weresurveyed by R. Perlman and C. Kaufman and published in “SecurePassword-Based Protocol for Downloading a Private Key,” Proc. 1999Network and Distributed System Security Symposium, Internet Society(January 1999). The Bellovin and Merritt's EKE (Encrypted Key Exchange)protocol (1992) is included in this survey. See, Bellovin and Merritt in“Encrypted Key Exchange: Password-Based Protocols Secure AgainstDictionary Attacks,” in Proceedings of the IEEE Symposium on Securityand Privacy, pp. 72-84 (1992). EKE allows a client and a server sharinga common password to generate cryptographic keys for confidential andauthenticated message communications. Related patents include U.S. Pat.Nos. 5,241,599 and 5,440,635. These and other solutions with theserver-assistance approach are limited in their effectiveness in partbecause the server represents a major vulnerability or involvesauthenticated and often complicated communications with clients.

Kaliski presented a method in 2001 that permits a client to regenerate acomputer-generated secret (a strong secret) from human-chosen secrets(weak secret data) with the assistance of servers while remainingresistant to attacks on the servers. See, U.S. patent publication No.20010055388 entitled “Server-assisted regeneration of a strong secretfrom a weak secret.” In one application, the regenerated secret is aninput to user authentication. In another application, the regeneratedsecret is a decryption key to decipher private data such as a privatekey in public-key cryptography. An indispensable part of the method is acomputing process for generating strong secrets. In other words, theregenerated strong secret is initially generated by the same method, notoriginated from a system implemented with other secret-data generatingschemes.

In another approach, the computer-generated secret is stored on a securehardware token. The hardware token is physically connected to a clientcomputer and the secret is made accessible to a user at the clientcomputer by accepting the user's chosen secret. An integrated circuitcard (IC card) is a typical example of secure hardware tokens. IC cardsconsist of two-factor authenticator, the card and the PIN. A PIN, ashort PIN, is chosen by a cardholder and is used to authenticate thecardholder's access to a computer-generated secret, such as a privatekey, stored on the card. IC cards have secure, tamper-resistant memoryto store secrets. In some implementations, processors inside IC cardsare able to perform critical computation entirely within a card, therebypreventing the protected secret from leaking out. As an example, signingthe digital fingerprint of a message is confined in a card where thesignature private key is stored. This additional capability is usefulfor protecting highly sensitive secret information.

In the physical-token approach, the secret under protection can beoriginated from a variety of secret-data generating computer codes. Inthis sense, the physical-token approach can be adopted to accommodatethe need of various security services now in use or those to bedeveloped in the future.

Using IC cards to protect computer-generated secret data needsadditional hardware cost, because it demands the use of cards as well ascard readers and other equipment such as card manufacturing equipment.Using IC cards further causes user inconvenience since card readers arenot yet ubiquitous.

Other memory devices or storage apparatuses like a USB (Universal SerialBus) or a RFID (Radio Frequency Identification) tag or a diskette aremore convenient and less costly. Data on these mediums are easier to becopied. Therefore, a USB or a RFID tag or a diskette or something alikemay not be a secure token. Secrets stored in these mediums are oftenencrypted using a password as the encryption key. The password or itsverification data (such as a hash value of the password) must be savedsomewhere for validating password entries. Theft of the password or theverification data presents a threat to security of such secrets.Password guessing is another threat when the encrypted secret isavailable or is accessible to attackers. Cryptanalysis is a furtherthreat to break the encrypted secret; some cryptanalysis techniquesdemand no prior knowledge about the encryption key—the password.

SUMMARY

In recognition of the above, there is a need for a more effective andefficient method for protecting a computer-generated secret andpermitting a client to regenerate or recover the secret through userchosen secrets without the assistance of servers. To yield greaterutility for the method, the secret under protection should not belimited to the inputs to a specific security service and should not belimited to those secret data generated by specific computer codes.

The protected secrets suitable for the present techniques include, amongothers, cryptographic keys for enciphering and deciphering messagesusing techniques of symmetric cryptography, private keys of public-keyand private-key pairs in a PKI (Public Key Infrastructure) environment,vendor-provided long identification numbers or codes used forauthenticating a bank account or a membership, and othercomputer-generated secret data. These secrets have one feature incommon—verifiability. In some circumstances, the regeneration orrecovery of a computer-generated secret from user-chosen secret datamust meet further constraints. For example, a computer-generated secretwith a certain purpose must be regenerated or recovered only at aspecific client or only with an irreplaceable token. Thus, there is aneed for a more flexible method for regenerating or recovering acomputer-generated secret from passwords and other selected data,wherein the additional selected data are used to impose certainconditions on regeneration or recovery of the secret.

Implementations of the present techniques may be used, for example, tooffer individuals a personalized tool for such secret data protectionand allows them to apply this tool at client sides around the network,and to allow users to use a personalized tool with their passwords butwithout the need of saving in storages or communicating with serverstheir passwords or information derived from their passwords. As anotherexample, implementations of the present techniques may also be used forrecovering computer-generated secrets from user-chosen data includingpasswords. The recovery may be carried out entirely within the computingfacilities of a client site.

A method of this application combines a partition process and a recoveryprocess for protecting a digital secret. In the partition process, apersonalized input determined by an authorized user or the owner of theprotected secret is transformed into a secret-independent digitalsegment according to a first transformation function. Next, both thesecret-independent digital segment and the digital secret itself areused as input to a second transformation function to produce asecret-dependent digital segment that conceals the digital secret. Afterthe secret-dependent digital segment is produced, the secret-independentdigital segment and the protected secret itself are deleted from thecomputer memory. In recovery of the digital secret, a user who initiatesthe recovery is first requested to provide (1) the secret-dependentdigital segment and (2) the personalized input. Next, the computation ofthe recovery process is carried out from a first input from the user inresponse to the request for the secret-dependent digital segment and asecond input from the user in response to the request for thesecret-independent digital segment. This produces an output to the user.The output reveals the digital secret to the user only when both thefirst input matches the secret-dependent digital segment and the secondinput matches the personalized input.

In the above, the partition process comprises a first transformationfunction and a second transformation function, while the recoveryprocess comprises the same first transformation function and a thirdtransformation function. The first function transforms a personalizedinput into a secret-independent digital segment. The second functionuses two inputs, the secret-independent digital segment produced fromthe first transformation and the secret itself, and transforms theinputs into a secret-dependent digital segment. The third transformationfunction has two inputs. Given the same secret-independent digitalsegment as one input, the third transformation function is an inversetransformation of the second transformation function.

The personalized input may be highly personalized and unique. Passwordsselected by the owner or an authorized user of the protected secret maybe used as the entirety or a part of a personalized input. In somecircumstances, the personalized input is a selected input comprising aselected password and a device-specific code. Availability of thedevice-specific code may be restricted to a specified device. Chosendata as part of the personalized input, in general, may includepasswords, random numbers, and identification data like distinguishingidentifiers, identification codes of personal devices, names oridentification data for locations.

In one implementation, the protection of the digital secret may beenhanced by removing any data on the digital secret and thesecret-dependent digital segment from the computer network to eliminatethe possibility of being attacked via the computer network. This may beachieved, for example, by first storing the secret-dependent digitalsegment in a portable storage device prior to the removal operation. Theportable storage device is then disconnected from the computer network.In this process, the secret-dependent digital segment is not kept in anypersistent memory in the computer network or a device.

In one implementation, the computation of a recovery process is carriedout at a client site upon request from the owner or an authorized userof the secret, and, subsequently, the recovered secret is validated atthe same client site. Verification data needed for this validation taskmay be made available on this client.

Additional methods and devices described in this application include,but are not limited to, the following.

1. A method for protecting a digital secret, comprising:

transforming a user-selected password, which is independent of a digitalsecret to be protected, into a temporary value by a firsttransformation;

using the temporary value and the digital secret as inputs to a secondtransformation to produce a secret-dependent digital segment in atransitory memory;

storing the secret-dependent digital segment in a persistent memory;

deleting the secret-dependent digital segment from the transitorymemory; and

deleting the digital secret and the temporary value from each memoryassociated with computations of the first and second transformations.

2. The method as in the above item No. 1, further comprising:

receiving a password and a secret-dependent segment from a userrequesting the recovery of the digital secret;

without a prior validation of the received password, using the receivedpassword and the received secret-dependent digital segment as inputs toa third transformation to compute a value as a recovered secret;

validating the recovered secret with verification information that has arelationship with the digital secret; and

determining whether the received password matches the selected passwordand whether the received secret-dependent digital segment matches thesecret-dependent digital segment according to an outcome of thevalidating step.

3. The method as in the above item No. 2, wherein the first and secondtransformations are configured, respectively, as a first function ƒ₁ anda second function ƒ₂, and the third transformation is configured as acomposite function of the first function ƒ₁ and a third function ƒ₃ inthe sequence of computing ƒ₁ first and subsequently computing ƒ₃.

4. The method as in the above item No. 3, wherein the first, the second,and the third functions are as follows:

(1) U=ƒ₁(password)=hash(password)+β, where hash( ) is acollision-resistant hash function producing a positive integer for allinstances of the password and β is a constant non-negative integer;

(2) V=ƒ₂(U, S)=(U+α×S) mod q, where U is an input value representing anoutput instance produced by the function ƒ₁, S is a positive integerrepresenting an instance of the digital secret, q is a positive integerlarger than all instances of the digital secret and also larger thanhash(password) for all instances of the password, α is a positiveinteger relatively prime to q; and

(3) S=ƒ₃(U, V)=(α⁻¹×V+((−(α⁻¹×U mod q))mod q)) mod q, where U is aninput value representing an output instance produced by the function ƒ₁,V is an input value representing an instance of the secret-dependentdigital segment, q is the sufficiently large integer as defined in ƒ₂, αis also as defined in ƒ₂, and α⁻¹ is the multiplicative inverse of α,modulo q.

5. The method as in the above item No. 1, further comprising using acryptographic key as at least part of the digital secret.

6. The method as in the above item No. 5, wherein the cryptographic keyis a key in a symmetric cryptographic system.

7. The method as in the above item No. 5, wherein the cryptographic keyis a private key of a key pair of a public key and the private key.

8. The method as in the above item No. 1, further comprising using anidentification code for access to a secured information system as atleast part of the digital secret.

9. The method as in the above item No. 1, further comprising:

performing the first and the second transformations in a computer systemto which the persistent memory is connected to receive and store thesecret-dependent digital segment; and

upon completion of the second transformation and storing thesecret-dependent digital segment, disconnecting the persistent memoryfrom the computer system.

10. The method as in the above item No. 1, further comprising selectinga collision-free mapping function to compute the first transformation.

11. The method as in the above item No. 1, further comprising selectinga collision-resistant hash function to compute the first transformation.

12. The method as in the above item No. 1, further comprising:

configuring the first and second transformations as a first function ƒ₁and a second function ƒ₂, respectively, such that a compositetransformation by first computing the function ƒ₁ and subsequentlycomputing the function ƒ₂, for a given digital secret and expressed as

ƒ₂(ƒ₁(input data), the given digital secret),

is one of a collision-free mapping function and a collision-resistanthash function with respect to the input data in ƒ₁(input data).

13. The method as in the above item No. 1, further comprising:

configuring the first and second transformations as a first function ƒ₁and a second function ƒ₂, respectively;

receiving a password and a secret-dependent segment from a userrequesting the recovery of the digital secret;

without a prior validation of the received password, using the receivedpassword and the received secret-dependent digital segment as inputs toa third transformation to compute a value as a recovered secret;

making the computation of the secret-dependent digital segment by acomposite function of ƒ₁ and ƒ₂ in the sequence of computing ƒ₁ firstand subsequently computing ƒ₂ and the recovery of the digital secret bythe third transformation be in an inverse relationship when the receivedpassword matches the selected password.

14. The method as in the above item No. 1, further comprising using aportable storage device as the persistent memory to store thesecret-dependent digital segment.

15. The method as in the above item No. 14, wherein the portable storagedevice comprises a digital processor, and wherein the method furthercomprising performing the first and the second transformations on thedigital processor.

16. The method as in the above item No. 15, further comprising:

receiving a password from a user requesting the recovery of the digitalsecret;

retrieving the secret-dependent segment;

without a prior validation of the received password, using the receivedpassword and the retrieved secret-dependent digital segment as inputs toa third transformation to compute a value as a recovered secret;

performing the third transformation on the digital processor.

17. The method as in the above item No. 14, wherein the portable storagedevice comprises a digital processor, and wherein the method furthercomprising:

receiving a password from a user requesting the recovery of the digitalsecret;

retrieving the secret-dependent segment;

without a prior validation of the received password, using the receivedpassword and the retrieved secret-dependent digital segment as inputs toa third transformation to compute a value as a recovered secret;

performing the third transformation on the digital processor.

18. The method as in the above item No. 1, further comprising avoidingstoring the selected password and a derivative of the selected passwordother than the secret-dependent digital segment in a persistent memory.

19. A method for protecting a digital secret, comprising:

accepting a digital secret as a protection object;

combining a selected password from an authorized user and adevice-specific code from a device into a selected input;

transforming the selected input into a temporary value by a firsttransformation;

using the digital secret and the temporary value as inputs to a secondtransformation to produce a secret-dependent digital segment in apersistent memory of the device; and

deleting the digital secret and the temporary value from each memoryassociated with the computations of the first and secondtransformations.

20. The method as in the above item No. 19, further comprising avoidingstoring the selected password and a derivative of the selected passwordother than the secret-dependent digital segment in a persistent memory.

21. The method as in the above item No. 19, wherein the selectedpassword and the device-specific code are combined as a concatenated bitstring of data bits of the selected password and the device-specificcode in either one of a first order where data bits for the selectedpassword are before data bits from the device-specific code and a secondorder where data bits for the selected password are after data bits fromthe device-specific code.

22. The method as in the above item No. 19, further comprising:

receiving a password from a user requesting the recovery of the digitalsecret;

accessing the device to obtain the device-specific code;

combining the received password and the obtained device-specific codeinto a received input;

transforming the received input into a temporary value by the firsttransformation;

retrieving the secret-dependent digital segment from the persistentmemory of the device; and

without a prior validation of the received password, using the temporaryvalue and the retrieved secret-dependent digital segment as inputs to athird transformation to compute a value as a recovered secret.

23. The method as in the above item No. 22, further comprising:

configuring the first, the second, and the third transformations as afirst function ƒ₁, a second function ƒ₂, and a third function ƒ₃,respectively, such that the computation of the secret-dependent digitalsegment by a composite function of ƒ₁ and ƒ₂ in the sequence ofcomputing ƒ₁ first and subsequently computing ƒ₂ and the recovery of thedigital secret by a composite function of ƒ₁ and ƒ₃ in the sequence ofcomputing ƒ₁ first and subsequently computing ƒ₃ be in an inverserelationship when the received input matches the selected input.

24. The method as in the above item No. 22, wherein the device comprisesa digital processor.

25. The method as in the above item No. 24, further comprisingrestricting the computation of the first transformation to the digitalprocessor.

26. The method as in the above item No. 19, wherein the device isportable.

27. The method as in the above item No. 19, further comprising:

configuring the first and the second transformations as a first functionƒ₁ and a second function ƒ₂, respectively, such that a compositetransformation by first computing the function ƒ₁ and subsequentlycomputing the function ƒ₂, for a given digital secret and expressed as

ƒ₂(ƒ₁(input data), the given digital secret),

is one of a collision-free mapping function and a collision-resistanthash function with respect to the input data in ƒ₁(input data).

28. A method for protecting a digital secret, comprising:

transforming a personalized input into a secret-independent digitalsegment according to a first transformation function, wherein a contentof the personalized input is independent of the digital secret;

using the secret-independent digital segment and the digital secret asinputs to a second transformation function to produce a secret-dependentdigital segment which digitally conceals the digital secret, wherein athird transformation function exists to use the secret-independentdigital segment and the secret-dependent digital segment as inputs forrecovering the digital secret;

storing the secret-dependent digital segment in a persistent memory;

deleting the digital secret and the secret-independent digital segmentfrom each memory associated with computations of the first and secondtransformation functions;

requesting a user who initiates the recovery to provide (1) thepersonalized input and (2) the secret-dependent digital segment forrecovering the concealed digital secret; and

applying the computation of the third transformation function from afirst input from the user in response to the request for thesecret-independent digital segment and a second input from the user inresponse to the request for the secret-dependent digital segment toproduce an output to the user, wherein the output reveals the digitalsecret to the user only when both the first input matches personalizedinput and the second input matches the secret-dependent digital segment.

29. The method as in the above item No. 28, wherein the digital secretcomprises a cryptographic key.

30. The method as in the above item No. 29, wherein the cryptographickey is a key in a symmetric cryptographic system.

31. The method as in the above item No. 29, wherein the cryptographickey is a private key of a key pair of a public key and the private key.

32. The method as in the above item No. 28, wherein the digital secretcomprises an identification code for access to a secured informationsystem.

33. The method as in the above item No. 28, wherein the personalizedinput comprises passwords, unique identifiers, location identificationdata, device identification codes, randomly-generated numbers, or acombination of these data.

34. The method as in the above item No. 28, further comprising:

after the computation of the third transformation function, performing avalidation process to verify the output of the computation.

35. The method as in the above item No. 34, wherein the validation usesverification information that has a relationship with the digitalsecret.

36. The method as in the above item No. 28, wherein the firsttransformation function is a collision-free mapping function or acollision-resistant hash function.

37. The method as in the above item No. 28, wherein the compositetransformation by computing the first and second transformationfunctions as sequenced, for a given digital secret and expressed asƒ₂(ƒ₁(input data), the given digital secret), is a collision-freemapping function or a collision-resistant hash function with respect tothe input data in ƒ₁(input data).

38. An article comprising a machine-readable medium that storesmachine-executable instructions for protecting a digital secret, theinstructions causing a machine to:

transform a user-selected password, which is independent of a digitalsecret to be protected, into a temporary value by a firsttransformation;

use the temporary value and the digital secret as inputs to a secondtransformation to produce a secret-dependent digital segment in atransitory memory;

store the secret-dependent digital segment in a persistent memory;

delete the secret-dependent digital segment from the transitory memory;and

delete the digital secret and the temporary value from each memoryassociated with computations of the first and second transformations.

39. The article as in the above item No. 38, wherein the instructionsfurther cause the machine to:

receive a password and a secret-dependent segment from a user requestingthe recovery of the digital secret;

without a prior validation of the received password, use the receivedpassword and the received secret-dependent digital segment as inputs toa third transformation to compute a value as a recovered secret;

validate the recovered secret with verification information that has arelationship with the digital secret; and

determine whether the received password matches the selected passwordand whether the received secret-dependent digital segment matches thesecret-dependent digital segment according to an outcome of thevalidating operation.

40. The article as in the above item No. 39, wherein the first andsecond transformations are configured, respectively, as a first functionƒ₁ and a second function ƒ₂, and the third transformation is configuredas a composite function of ƒ₁ and a third function ƒ₃ in the sequence ofcomputing ƒ₁ first and subsequently computing ƒ₃.

41. The article as in the above item No. 40, wherein the first, thesecond, and the third functions are as follows:

(1) U=−ƒ₁(password)=hash(password)+β, where hash( ) is acollision-resistant hash function producing a positive integer for allinstances of the password and β is a constant non-negative integer;

(2) V=ƒ₂(U, S)=(U+α×S) mod q, where U is an input value representing anoutput instance produced by the first function ƒ₁, S is a positiveinteger representing an instance of the digital secret, q is a positiveinteger larger than all instances of the digital secret and also largerthan hash(password) for all instances of the password, α is a positiveinteger relatively prime to q; and

(3) S=ƒ₃(U, V)=(α⁻¹×V+((−((α⁻¹×U) mod q)) mod q)) mod q, where V is aninput value representing an instance of the secret-dependent digitalsegment, U, q, and α are as defined in ƒ₂, and α⁻¹ is the multiplicativeinverse of α, modulo q.

42. A computer system, comprising:

means for transforming a personalized input into a secret-independentdigital segment according to a first transformation function, wherein acontent of the personalized input is independent of the digital secret;

means for using the secret-independent digital segment and the digitalsecret as inputs to a second transformation function to produce asecret-dependent digital segment which digitally conceals the digitalsecret, wherein a third transformation function exists to use thesecret-independent digital segment and the secret-dependent digitalsegment as inputs for recovering the digital secret;

means for accessing a persistent memory to store the secret-dependentdigital segment;

means for removing the secret-dependent digital segment from thecomputer system; and

means for deleting the secret-independent digital segment and thedigital secret from the computer system after completing computations ofthe first and second transformation functions.

43. The computer system as in the above item No. 42, further comprising:

means for requesting a user who initiates the recovery to provide (1)the personalized input and (2) the secret-dependent digital segment forrecovering the concealed digital secret; and

means for computing the third transformation function from a first inputfrom the user in response to the request for the secret-independentdigital segment and a second input from the user in response to therequest for the secret-dependent digital segment to produce an output toreveal the digital secret to the user only when both the first inputmatches personalized input and the second input matches thesecret-dependent digital segment.

44. The computer system as in the above item No. 43, further comprising:

means for performing a validation process to verify the output of thecomputation after the computation of the third transformation function,wherein the validation uses verification information that has arelationship with the digital secret.

These and other implementations and variations, and associatedadvantages are described in greater detail with reference to thedrawings, the detailed description, and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating an example of a partitionprocess;

FIG. 2 is a block diagram illustrating an example of a recovery with asubsequent validation process;

FIGS. 3 and 4 are flowcharts illustrating examples of a partitionprocess and a recovery with a subsequent validation process,respectively, for protecting private keys.

DETAILED DESCRIPTION

The techniques described in this application have various applications,e.g., accepting secrets generated from existing digital security systemsas protected targets. A protected target suitable for the techniquesdescribed here may be in various forms and is not limited to oneparticular type of secrets. For example, the protected target may begeneric, including various computer-generated secrets used in securityservices in the network environment. The protected target can be keptunaltered and confidential during or even beyond its lifetime in variousapplications. As a digital secret, the protected target may be a stringof binary digits and may be converted into a positive integer throughthe mapping of the canonical integer representation. The canonicalinteger representation of a bit string a_(m)a_(m−1) . . . a₁a₀ may bedefined as a_(m)×2^(m)+ . . . +a₁×2+a₀.

In implementing the techniques described here, the protected targetshould be verifiable in order to fully utilize the potentials of thetechniques. Most computer-generated secrets for the purpose of securityservices are verifiable. A secret is verifiable if the correctness ofits value can be verified. The verification of a secret usually utilizesverification data. For example, a hash value of a long PIN can be usedas the verification data for verifying the correctness of a PIN entry.As a second example, a public key in a key pair of a private key and thepublic key is the verification data for verifying whether a valueinstance of the private key is correct.

In some examples described here, certain devices in a computer networkare referred to as clients or client sites that are used to regenerateor recover digital secrets. In some applications, a client or a clientsite may be a network station or device capable of performingcomputational tasks and communicating with other network stations ordevices. A client may be used for individual's accesses to the networkin many applications but may also have other uses and functionalities.Clients may be classified as (1) client computers, e.g., personalcomputers or computers primarily for personal usages, and (2) portableclient processors, such as Personal Digital Assistants (PDA) and certainwireless phones. A client computer or a portable client processor mayinclude computing facilities, networking facilities and storage devices.The storage devices of a client may include, a fixed or a portableperipheral of a persistent memory, wherein the information in theportable peripheral can be made accessible to the processor of theclient.

The techniques described here partition a protected secret, bycomputation, into two digital segments—one secret-dependent digitalsegment and one secret-independent digital segment. The same secret isrecovered, also by computation, upon demand through these two segments.Accordingly, the techniques described here are used in two differentprocesses: partition and recovery.

In the examples described here, the partition process begins with theselection of a personalized input, then computes the secret-independentdigital segment from the personalized input, and further computes thesecret-dependent digital segment from the secret-independent digitalsegment and the secret under protection. The partition process ends instoring the secret-dependent digital segment in a storage device withpersistent memory.

In the above process, the personalized input to yield thesecret-independent digital segment may be determined or selected by theowner or an authorized user of the protected secret. The personalizedinput is confidential and is known only to the owner or authorized user.The personalized input may be highly personalized, e.g., to be unique insome instances, to facilitate the owner or authorized user to memorizethe input and to increase the difficulty in guessing the input byothers. The secret-independent digital segment is denoted assecret-independent because the selection of the personalized input isindependent of the protected secret. As an example, a password may beused as the personalized input. The personalized input may use dataother than passwords. For example, the personalized input may be aselected input that comprises a user-selected password and adevice-specific code. Passwords are generally considered as weak secretsbecause they may be guessed by using programmed instructions. However,passwords can be properly used to provide a natural and user-friendlyinterface for human users. Optional chosen data as part of thepersonalized input may include additional passwords, random numbers, andidentification data like distinguishing identifiers, identificationcodes of personal devices, names or identification data for locations.

The partition process may be carried out several times for processingand protecting the same computer-generated secret in some circumstances.As an example, when the secret's owner or an authorized user wants tochange the personalized input and to update the secret-dependent digitalsegment, the partition process may be performed again. The secret to bepartitioned again can be obtained either from where it was originallygenerated or through the recovery process.

The recovery process in the examples described here begins withreceiving an input provided as the personalized input that is previouslyselected as the input to the partition process. Next, the recoveryprocess proceeds to compute a temporary value from the received inputand to retrieve the secret-dependent digital segment from its storage,and then proceeds to recover the secret from the temporary value and theretrieved secret-dependent digital segment. The temporary value is thesecret-independent digital segment if the received input is correct,i.e. the received input is identical to the personalized input.

A validation task follows the task of a recovery. The way of validationis executed is a notable feature of the techniques described here. Anentry input, such as a password entry, is not validated right after theentry. It is the recovered secret that is verified. Therefore, thevalidation is an indirect validation process. With such an indirectvalidation strategy, passwords or information derived from passwords(for example, hash values or ciphers of passwords) need not be stored asthe verification data. In this validation process, the verification datamay include, for example, public keys and hash values. To validate arecovered private key, the public key associated with the authenticprivate key is adopted as the verification data. To validate a recoveredlong PIN, a hash value of the authentic PIN can be used as theverification data. Along with a partition process, an initializationprocess may be performed for preparing the verification data.

The partition process uses two transformation function ƒ₁ and ƒ₂ ingenerating the secret-dependent digital segment and thesecret-independent digital segment:

(1) secret-independent digital segment=ƒ₁(input data), where “inputdata” is an instance of the personalized input and the selection of thisdata is independent of the secret under protection, and

(2) secret-dependent digital segment=ƒ₂(ƒ₁(input data), S), where S isthe secret under protection.

The recovery process uses the same ƒ₁ above and a third transformationfunction ƒ₃ to recover the secret concealed during the partitionprocess:

(1) S=ƒ₃(ƒ₁(input data), secret-dependent digital segment), where “inputdata” and S are as defined in ƒ₁ and ƒ₂ above.

The above three transformation functions ƒ₁, ƒ₂ and ƒ₃ define thepartition and recovery processes. Appropriate formulation of thesetransformation functions is part of an embodiment of the presentinvention. The three transformation functions may be implemented invarious forms and the specific forms of these functions can be selectedto meet specific needs of a particular application. However the specificforms of these functions are selected, the three transformationfunctions should be designed to have the following properties:

(1) The computation of the secret-independent digital segment iscollision-free or collision-resistant; mathematically, the function ƒ₁is either a one-to-one mapping (i.e. a collision-free function) or acollision-resistant function, thereby it is impossible (if ƒ₁ iscollision free) or very unlikely (if ƒ₁ is collision resistant) toobtain a same secret-independent segment value from different instancesof the personalized input.

(2) Given the value S of a computer-generated secret, the computation ofa secret-dependent digital segment by the composite transformation ofthe first and the second transformation functions as sequenced, i.e.ƒ₂(ƒ₁(input data), S)), is collision free or collision resistantproducing a positive integer for all instances of the personalizedinput. (Note: the sequence of computing ƒ₂, ƒ₁ is first to compute ƒ₁and then to compute ƒ₂.)

(3) Given an instance of the personalized input, i.e. given an instanceof the secret-independent digital segment, the computation of asecret-dependent digital segment by ƒ₂ and the recovery of acomputer-generated secret by ƒ₃ are in an inverse relationship.

(4) Without knowledge of the secret-dependent digital segment, knowledgeof the secret-independent digital segment (or the personalized input tocompute the secret-independent digital segment) alone leaves theprotected secret undetermined.

(5) The input to the transformation function ƒ₁ is independent of theprotected secret. In other words, the selection of this personalizedinput and the generation of the protected secret are two eventsindependent of each other.

(6) Knowledge of the secret-dependent digital segment yields no clue tothe guess about the personalized input. The secret-dependent digitalsegment is the output of the second transformation that uses twomutually independent inputs—(1) the personalized input and (2) theprotected secret.

In addition to the above properties, the configuration information ofthese three transformations, ƒ₁, ƒ₂, and ƒ₃, should reveal as littleknowledge as possible about the protected secret and should leave noclues to the guess about the protected secret. As such, the programmedinstructions for executing these transformations can be installed in aclient site where the environment may not be secure without compromisingthe security of the protected secret.

In some applications, the secret-dependent digital segment may be storedin a portable storage device with persistent memory. Thesecret-independent digital segment, however, is computed upon demandfrom input data. Passwords may be used as the primary personalized inputand can be carried around by users in their memory. As a result, therecovery computation can be carried out at a non-specified client siteof the network provided that the programmed instructions of these threetransformations have been made available at the client site.

In other applications, the recovery process may be restricted by thesystem configuration to be carried out only at a specified client site.In such circumstances, certain data items of the selected personalizedinput are made available only from a storage device inseparable from thespecified client site so that the recover process in general cannot becarried out at a different site or computer.

The formulation of these three transformations, ƒ₁, ƒ₂, and ƒ₃, areoften taken into consideration their relationships. As an example, thethree transformations may given as follows:

(1) U=the secret-independent digital segment=ƒ₁(input data)=SHA-1(inputdata), where SHA stands for the Secure Hash Algorithm. The “input data”represents an instance of the personalized input and SHA-1 is a knownone-way hash function producing a positive integer less than 2¹⁶⁰ forall instances of the personalized input.

(2) V=the secret-dependent digital segment=ƒ₂(U, S)=(U+αS) mod q, whereS is the canonical positive integer representation of a protectedsecret, q is a chosen integer greater than all instances of S and isalso no less than 2¹⁶⁰, and α is a chosen positive integer relativelyprime to q. (One is relatively prime to q. Thus, α=1 is a simple case ofα.)

(3) S=ƒ₃(U, V)=(α⁻¹×V+((−(α⁻¹×U mod q)) mod q)) mod q, where α⁻¹represents the multiplicative inverse of α in the modular arithmetic,modulo q.

The above three functions are not independent from one another but arerelated. It can be verified that the three transformations, ƒ₁, ƒ₂, andƒ₃, as formulated above satisfy the aforementioned six properties. Thisis in part due to that q is chosen as a constant greater than allinstances of S and also greater than all instances of U, and in part dueto that there exists a unique α⁻¹ for a positive integer α that isrelatively prime to q. Both constants q and α need not be keptconfidential. The disclosure of q and α reveals only the informationthat S and U are less than q. Such disclosed information provides verylittle help for the guess about S or U, because q is sufficient large.

As a second example, a variation of the above formulation is givenbelow:

(1) U=ƒ₁(input data)=SHA-1(input data)+β;

(2) V=ƒ₂(U, S)=(U+αS) mod q; and

(3) S=ƒ₃(U, V)=(α⁻¹×V+((−((α⁻¹×U) mod q)) mod q)) mod q.

In this second formulation, all parameters except β are as defined. Theparameter β is chosen as a constant positive integer. SHA-1input data)is a collision-resistant function producing a positive integer less than2¹⁶⁰ for all instances of the input data. Thus, the new function ƒ₁,SHA-1(input data)+β, is also a collision-resistant function producing apositive integer less than 2¹⁶⁰+β for all instances of the input data.By mathematical deduction, the composite function of ƒ₁ and ƒ₂, i.e.V=ƒ₂(ƒ₁(input data), S)=(SHA-1(input data)+β+αS) mod q, is also acollision-resistant function with respect to the variable “input data”and produces a positive integer less than q. This deduction is in partdue to the choice of q as a constant integer greater than all possiblevalues of SHA-1(input data).

Another variation of the above formulation is given below:

(1) U=ƒ₁(input data)=hash(hash(input data))+β, where “hash” stands for acollision-resistant function like SHA-1 or MD5 that produces a positiveinteger;

(2) V=ƒ₂(U, S)=(U+αS) mod q; and

(3) S=ƒ₃(U, V)=(α⁻¹×V+((−((α⁻¹×U) mod q)) mod q)) mod q.

In the above, a composite of two hash functions can be extended into acomposite of a number of sequenced hash functions. It is true that thecomposite function of a sequence of collision-resistant functions iscollision-resistant.

The utilization of one-way hash functions in the formulation of thefirst transformation function shown in the above examples helps toeffectively expand the input space, i.e. enlarge the set containing allinstances of the personalized input. As a result, the content selectionof the personalized input is flexible and the owner or an authorizeduser of the protected secret is allowed to have the freedom to selectthe personalized input.

The secret-dependent digital segment may be designed to be portable andthus may be referred to as a portable segment. A portable storage deviceof persistent memory like a USB memory device or a diskette or a memorycard may be used as an apparatus for this segment. Other storage devicesfor this segment may be peripherals of network-connected servers.Portable storage devices may be preferred for storing thesecret-dependent digital segment at least in part because the recoverycomputation of a protected secret can be done entirely within thecomputing facilities of a non-specified client.

Furthermore, after the secret-dependent digital segment is stored in aportable storage device, the portable storage device may be disconnectedfrom the computer network after any data on the secret-dependent digitalsegment is deleted or removed from the network. Therefore, thesecret-dependent digital segment that has the information on the digitalsecret is no longer available in the network and an attacker cannotattack the digital secret even if the attacker can gain access to thenetwork. This provides additional security in protection of the alreadyprotected digital secret.

A storage device for storing the secret-dependent digital segment mayalso include a disk or other storage peripheral bound to a specifiedclient. As an example, the client may be a portable client with a clientprocessor programmed to perform various processes and computations inthe present techniques and the storage device may include a persistentmemory that is part of the portable client processor. Such a processor,with a secret-dependent digital segment in its persistent memory, iscapable of serving as a processor within which the recovery computationscan be carried out and, in the meantime, serving as a client connectedto the network.

For convenience to the end users, many applications may use passwords asthe primary personalized input. The personalized input optionallyincludes additional identification data such as a manufacturer built-inidentification code of a personal device for storing thesecret-dependent digital segment, thereby binding this personal deviceto the recovery computation of the secret. Such built-in identificationdata can be made computer readable so that reading the data is donewithout human intervention.

It can be inferred from the recovery transformation function ƒ₃ that,when the knowledge of the secret-dependent digital segment is available,guessing the computer-generated secret is reduced to the task ofguessing the personalized input. Therefore, adding a random number intothe personalized input adds resistance to brute-force guessing for thesecret. The improved degree of security by adding a random number to thepersonalized input may be less evident if the secret's owner orauthorized user diligently keeps the secret-dependent digital segmentsafe and prevents this segment from unauthorized uses. The added randomnumber could be considered as a second portable segment, and,alternatively, may be stored in a persistent memory of a specifiedclient, thereby restricting recovery of the computer-generated secret tobe carried out only at this specified client site.

The personalized input used for computing a secret-independent digitalsegment may include a single data item or a combination of at least twoitems of data. A human-chosen secret, e.g. a password or a short PIN, isa typical example of single-item inputs. As an example for thecombination of at least two items of data, one password and onedevice-specific code can be concatenated (e.g. password∥device ID ordevice ID∥password) together as the personalized input. As anotherexample, three items can be concatenated together, e.g. password∥randomnumber∥device ID, as the personalized input. Alternatively, thepersonalized input data may be divided into several groups, where eachgroup is used to compute a secret-independent sub-segment, and then thefinal secret-independent segment is computed from all secret-independentsub-segments. In this way, each secret-independent sub-segment is,respectively, computed through a collision-free or collision-resistantfunction.

Upon completion of the recovery, the present techniques can furthervalidate the recovered secret without validating the password entry orother input data. The way of validation depends on what thecomputer-generated secret and the verification data are even though thepartition and recovery of a computer-generated secret may be the same.For example, a scheme called challenge-and-response validation processhas been designed and implemented for the validation on value instancesof a private key in a public-key cryptosystem. This is a legacyvalidation method in the Internet defined in several internationalstandards including ISO/IEC 9798-3 (1998). The validation process may beimplemented with four basic steps: (1) generate, randomly, a challengemessage; (2) compute the response, i.e. sign a fingerprint of thechallenge using the value that is supposed to be a valid private key;(3) decipher the response using the corresponding public key; and (4)compare the deciphered response with the fingerprint of the challengemessage. By definition, a fingerprint of a challenge message is theoutput produced from transforming the message by a selected one-way hashfunction.

As another example, a hash value obtained by applying a selected one-wayhash function twice on a long PIN, i.e. hash(hash(the long PIN)), may beadopted as the verification data. In validation, the same selected hashfunction is also applied twice on a recovered value instance for thelong PIN and then the result is compared with the verification data. Thedouble hashing is preferred than a single hashing in some circumstancesto avoid the duplication of using the same hash value in a system siteand a client site as well. Suppose that a client site uses adouble-hashed value as the verification data while a system site uses asingle-hashed value as another verification data. Disclosure of thedouble-hashed value reveals little information for a guess about thecorresponding single-hashed value provided that the selected one-wayhash function is computationally irreversible as it should be.

In some applications, the verification data and the secret-dependentdigital segment may be intentionally stored together within one storagedevice. As such, the validation task can be subsequently executed at thesame client site as the site where the recovery takes place.

When properly implemented, the verification data reveals no clues onguessing about the protected secret. The public key as the verificationdata in the aforementioned challenge-and-response scheme satisfies thisrequirement. The doubled-hashed hash value and the single-hashed hashvalue as mentioned also provide little clues on guessing the long PINthat is hashed.

Passwords are commonly used in many security services. The presenttechniques, however, use passwords as the entirety or a part of apersonalized input in a way that is significantly different from theuses of passwords in other methods. A password is also used to generatea derivative and the derivative is used in digital security. Aderivative of a password is defined here as a value derived from thepassword only, such as a transformation function that has an sole inputvariable for receiving a password. One example is a hash value of thepassword. In this context, certain derivatives of the password are notkept in persistent memory in implementations of the present techniques.The secret-dependent digital segment is derived from the password and isthe output of the second transformation function ƒ₂ that uses twomutually independent inputs: (1) the password (or, more generally, thepersonalized input) and (2) the protected secret. Hence, in theabove-defined meaning of a derivative, the secret-dependent digitalsegment is not a derivative of the password because the secondtransformation function ƒ₂ has more than one input variable.

In this context, many traditional methods use a password or a derivativethereof to retrieve and make available a secret. Accordingly, thepassword or its derivative need be stored in persistent memory forrecovering the secret and the storage device may be hacked by attackersto steal the password information. In contrast, in the presenttechniques, a password is used in the recovery computation and thepassword itself or its derivatives need not be pre-stored somewhere forauthentication check and is not part of the data element needed forretrieving the secret-dependent digital segment. The secret-dependentdigital segment can be retrieved by, e.g., simply using an explicitfilename for the segment. This difference is substantial in part becausethe way a password is used in the present techniques significantlyimproves the level of security and mitigates the risks associated withthe attacks of passwords over the traditional use of passwords. The factthat the password is used to recover the computer-generated secret andis not for direct check in the present techniques gives strong passwordprotection. Password theft, reuse, undetected sharing may becomeimpossible, unless the owner or an authorized user keeps hand-written ordigital copies for backup. Attacks utilizing server spoofing or servercompromise would also be impossible, because passwords are not requestedby or stored in servers. It is further noted that the present techniquescan be implemented so that the end users may not be able to notice thedifference and use the passwords the same way as they always do whenusing security systems based on the present techniques.

The present techniques may be implemented to use a two-factorauthenticator: something a user should have (the secret-dependentdigital segment and the verification data in a storage device) andsomething the user should know (the personalized input such as apassword). With random numbers and additional identification dataincluded in the personalized input, the present techniques may also beimplemented with an n-factor authenticator; wherein n is greater thantwo. Separately safeguarding two or more factors of the authenticatorreduces the chances for attackers to steal all information needed tolaunch search attacks such as a dictionary attack on the password.

In the worst-case scenario for an implementation of the presenttechniques where the secret-dependent digital segment and theverification data are obtained by an attacker, guessing the secret isreduced to the task of guessing the personalized input. Each guess onthe personalized input, however, needs to execute a recovery task and avalidation task in a system based on the present techniques and thus isvery difficult. In some implementations, the validation of a recoveredsecret is a computation-intensive task. In the RSA cryptosystem, as anexample, using a public key to verify a recovered private key involvesexponential computations. Such computations significantly increase thedifficulty of search attacks.

FIGS. 1 through 4 provide specific examples of implementations of thepresent techniques. Wherever possible, the same reference numbers areused in the drawings and the description to refer to the same or likeparts.

FIG. 1 shows operation steps in one implementation of the partitionprocess and associated input and output interactions between thisprocess and its working environment. The partition process, onceinitiated, requests an input 110 via an user interface from a user. Theinput 110 is a personalized input determined by the owner or anauthorized user of the computer-generated secret. The input 110 mayinclude a password and, optionally, additional passwords, randomnumbers, identification data or a combination of these data. The owneror the authorized user enters passwords, while other data may beautomatically inputted to the partition process. The security service130 on a system where the secret is generated supplies acomputer-generated secret 140 to be protected. At step 120, thepartition process applies a selected first transformation function ƒ₁ tocompute the secret-independent digital segment. A step 140 is executedto obtain the computer-generated secret 140 from the security service130. At step 150, the partition process computes the secret-dependentdigital segment 150 by using a selected second transformation functionƒ₂. Next at step 160, the secret-dependent digital segment is stored ina persistent memory. The secret-dependent digital segment may be storedin a storage apparatus 170. Finally at step 180, the computer-generatedsecret, the secret-dependent segment and the secret-independent digitalsegment are deleted from the transitory memory.

FIG. 2 is a block diagram illustrating operation steps in oneimplementation of the recovery and subsequent validation and associatedinput and output interactions. The recovery process begins withrequesting and receiving an input 200 at step 202 as the personalizedinput, proceeds to compute a secret-independent digital segment from thereceived input at step 205 and to retrieve the secret-dependent digitalsegment from its storage 215, and then recovers the computer-generatedsecret from the two digital segments in step 210. The input 200 isinputted as the personalized input defined in the correspondingpartition process. The secret-independent digital segment is computed bythe same first transformation function as that adopted in the partitionprocess. The secret-dependent digital segment is previously generated bythe partition process and stored in the storage apparatus 215. Thesecret is recovered by the third transformation function which has aninverse relationship with the second transformation function which isalso adopted in the corresponding partition process. Verification datais generated by an initialization process and is stored in memory 225.At step 220, the verification data is retrieved and is used to validatethe recovered secret. A validation result is produced at the end of thestep 220. Next, step 230 is performed to determine whether thevalidation result of step 220 is invalid or valid. The validation resultis decided as valid when the received input 200 matches the personalizedinput and the supplied secret-dependent digital segment stored in thestorage device 215 and the verification data in the storage 225 are bothauthentic. If valid, the recovered secret is put in use at step 235 andis further supplied to security services 240 on a system where thecomputer-generated secret is used. At step 245, the recoveredcomputer-generated secret and the computed secret-independent digitalsecret are deleted from the computer memory. If the validation result isinvalid, whether to repeat or terminate is determined at step 250. Ifthe decision is to terminate, the routine ends at step 260. If thedecision is to repeat, the process is repeated beginning by requestinganother input 200 from the user.

In implementations, the above described partition and verificationprocesses may be implemented as computer software instructions. Suchsoftware instructions may be stored on one or more machine-readablestorage media or devices connected to a computer or a computer system.In operation, one or more computer processors may be used to perform thedescribed functions and operations. FIGS. 3 and 4 are respectively theflowcharts of an exemplary partition process and an exemplary recoverywith a validation process as actions taken by the computer under controlof the software instructions. It is assumed that the protected secret inFIGS. 3 and 4 is a private key S. The aforementionedchallenge-and-response scheme is adopted into FIG. 4 as the validationmethod. The three transformation functions, ƒ₁, ƒ₂, and ƒ₃, in thisformulation are defined as follows and are slightly different from theaforementioned formulation examples

(1) U=ƒ₁(password)=MD5(password)+β, where MD5 is a known one-way hashfunction and β is a constant positive integer;

(2) V=ƒ₂(U, S)=(U+αS) mod q, where S is the private key underprotection, q is a positive integer larger than all instances of S andalso larger than MD5(password) for all instances of the password, and αis a positive integer relatively prime to q; and

(3) S=ƒ₃(U, V)=(α⁻¹V+(−((α⁻¹U) mod q)) mod q) mod q, where α⁻¹ is themultiplicative inverse of α with respect to modulo arithmetic, modulo q.

In this specific example, the personalized input is a password. It isknown that the output of MD5 is a string of 128 binary digits. Thus,MD5(password) is less than 2¹²⁸ for all instances of the password.Suppose that the size of a private key herein is 1024 bits. Then q canbe chosen as 2¹⁰²⁴ or larger, because 2¹⁰²⁴ is larger than all instancesof the private key and is larger than 2¹²⁸. The determination of whethera guess about the password is correct involves the computation of atleast one exponential expression with an integer representing therecovered digital secret as the exponent, assuming that a RSA-typecryptosystem is used here. Therefore, a properly selected parameter βcan significantly increase the difficulty of search attacks on thepassword.

Referring to FIG. 3, a private key is accepted as the protected target Sat step 310. The key is a bit string and is presented as a positiveinteger S. In step 320, three positive integers, q, α and β, are chosenwhere q is larger than 2¹⁰²⁴ and α is relatively prime to q. In step330, a password is chosen and confirmed as the personalized input by theowner or an authorized person of the protected private key S. In step340, the secret-independent digital segment is computed by the selectedfirst transformation function, i.e. U=MD5(password)+β. In step 350, thesecret-dependent digital segment is computed by the selected secondtransformation function, i.e. V=(U+αS) mod q. In step 360, the privatekey S and the secret-independent digital segment U are deleted from thecomputer memory. In step 370, the secret-dependent digital segment isstored in a storage place of a persistent memory.

FIG. 4 shows the operations in the recovery and validation. In step 410,a password entry is received as the input. In step 420, thesecret-independent digital segment is computed from the input by thesame first transformation function as that adopted in FIG. 3, i.e.U=MD5(password)+β. In step 430, the secret-dependent digital segment isretrieved from its storage place. In step 440, the protected private keyS is recovered by the third transformation function, i.e. S=ƒ₃(V,S)=(α⁻¹V+(−((α⁻¹U) mod q)) mod q) mod q. This completes the recoveryprocess.

The challenge-and-response validation begins at step 450 where a randommessage C is obtained as a challenge. In step 460, the messagefingerprint of C is signed using the recovered private key as thesignature private key: SIG=signature(the recovered private key,hash(C)). In step 470, the signature so obtained is decrypted using thepublic key associated with the authentic private-key; the result isdenoted as D: D=decryption(Public Key, SIG). In step 480, D and hash(C)are compared. The recovered private key is accepted in step 490 if thecomparison results in a match. In step 498, the recovered secret is putin use in security services and is then deleted from the computermemory. If the comparison at step 480 does not find a match, therecovered private key is rejected in step 495. The process repeatsitself after step 495.

The recovery with subsequent validation process described in FIG. 4 canbe carried out in different system configurations. For example, anon-specified client computer capable of receiving the secret-dependentdigital segment and the public key from a portable storage device may beused to perform the operations in FIG. 4. For another example, aportable client processor with persistent memories may also be used tostore the secret-dependent digital segment and the public key and tocarry out the recovery and validation.

Only a few examples and implementations are described. However, variousenhancements, variations, and modifications are possible based on whatis described here.

1. A method for protecting a digital secret, comprising: transforming auser-selected password, which is independent of a digital secret to beprotected, into a temporary value by a first transformation; using thetemporary value and the digital secret as inputs to a secondtransformation to produce a secret-dependent digital segment in atransitory memory; storing the secret-dependent digital segment in apersistent memory; deleting the secret-dependent digital segment fromthe transitory memory; deleting the digital secret and the temporaryvalue from each memory associated with computations of the first andsecond transformations; receiving a password and a secret-dependentsegment from a user requesting the recovery of the digital secret;without a prior validation of the received password, using the receivedpassword and the received secret-dependent digital segment as inputs toa third transformation to compute a value as a recovered secret;validating the recovered secret with verification information that has arelationship with the digital secret; and determining whether thereceived password matches the selected password and whether the receivedsecret-dependent digital segment matches the secret-dependent digitalsegment according to an outcome of the validating step, wherein thefirst and second transformations are configured, respectively, as afirst function ƒ₁ and a second function ƒ₂, and the third transformationis configured as a composite function of the first function ƒ₁ and athird function ƒ₃ in the sequence of computing ƒ₁ first and subsequentlycomputing ƒ₃, and wherein the first, the second, and the third functionsare as follows: (1) U=ƒ₁(password)=hash(password)+β, where hash( ) is acollision-resistant hash function producing a positive integer for allinstances of the password and β is a constant non-negative integer;(2)V=ƒ₂(U, S)=(U+α×S) mod q, where U is an input value representing anoutput instance produced by the function ƒ₁, S is a positive integerrepresenting an instance of the digital secret, q is a positive integerlarger than all instances of the digital secret and also larger thanhash(password) for all instances of the password, α is a positiveinteger relatively prime to q; and (3) S=ƒ₃(U, V)=(α⁻¹×V+((−(α⁻¹×U modq)) mod q)) mod q, where U is an input value representing an outputinstance produced by the function ƒ₁, V is an input value representingan instance of the secret-dependent digital segment, q is thesufficiently large integer as defined in ƒ₂, α is also as defined in ƒ₂,and α⁻¹ is the multiplicative inverse of α, modulo q.
 2. The method asin claim 1, further comprising using a cryptographic key as at leastpart of the digital secret.
 3. The method as in claim 2, wherein thecryptographic key is a key in a symmetric cryptographic system.
 4. Themethod as in claim 2, wherein the cryptographic key is a private key ofa key pair of a public key and the private key.
 5. The method as inclaim 1, further comprising using an identification code for access to asecured information system as at least part of the digital secret. 6.The method as in claim 1, further comprising: performing the first andthe second transformations in a computer system to which the persistentmemory is connected to receive and store the secret-dependent digitalsegment; and upon completion of the second transformation and storingthe secret-dependent digital segment, disconnecting the persistentmemory from the computer system.
 7. The method as in claim 1, furthercomprising selecting a collision-free mapping function to compute thefirst transformation.
 8. The method as in claim 1, further comprisingselecting a collision-resistant hash function to compute the firsttransformation.
 9. The method as in claim 1, further comprising:configuring the first and second transformations as a first function ƒ₁and a second function ƒ₂, respectively, such that a compositetransformation by first computing the function ƒ₁ and subsequentlycomputing the function ƒ₂, for a given digital secret and expressed asƒ₂(ƒ₁(input data), the given digital secret), is one of a collision-freemapping function and a collision-resistant hash function with respect tothe input data in ƒ₁(input data).
 10. The method as in claim 1, furthercomprising using a portable storage device as the persistent memory tostore the secret-dependent digital segment.
 11. The method as in claim10, wherein the portable storage device comprises a digital processor,and wherein the method further comprising performing the first and thesecond transformations on the digital processor.
 12. The method as inclaim 11, further comprising: receiving a password from a userrequesting the recovery of the digital secret; retrieving thesecret-dependent segment; without a prior validation of the receivedpassword, using the received password and the retrieved secret-dependentdigital segment as inputs to a third transformation to compute a valueas a recovered secret; performing the third transformation on thedigital processor.
 13. The method as in claim 10, wherein the portablestorage device comprises a digital processor, and wherein the methodfurther comprising: receiving a password from a user requesting therecovery of the digital secret; retrieving the secret-dependent segment;without a prior validation of the received password, using the receivedpassword and the retrieved secret-dependent digital segment as inputs toa third transformation to compute a value as a recovered secret;performing the third transformation on the digital processor.
 14. Themethod as in claim 1, further comprising avoiding storing the selectedpassword and a derivative of the selected password other than thesecret-dependent digital segment in a persistent memory.
 15. A methodfor protecting a digital secret, comprising: accepting a digital secretas a protection object; combining a selected password from an authorizeduser and a device-specific code from a device into a selected input;transforming the selected input into a temporary value by a firsttransformation; using the digital secret and the temporary value asinputs to a second transformation to produce a secret-dependent digitalsegment in a persistent memory of the device; and deleting the digitalsecret and the temporary value from each memory associated with thecomputations of the first and second transformations, wherein the firstand the second transformations are: (1) the first transformation isU=ƒ₁(password)=hash(password)+β, where hash( ) is a collision-resistanthash function producing a positive integer for all instances of thepassword and β is a constant non-negative integer; and (2) the secondtransformation is V=ƒ₂(U, S)=(U+α×S) mod q, where U is an input valuerepresenting an output instance produced by the function ƒ₁, S is apositive integer representing an instance of the digital secret, q is apositive integer larger than all instances of the digital secret andalso larger than hash(password) for all instances of the password, α isa positive integer relatively prime to q.
 16. The method as in claim 15,further comprising avoiding storing the selected password and aderivative of the selected password other than the secret-dependentdigital segment in a persistent memory.
 17. The method as in claim 15,wherein the selected password and the device-specific code are combinedas a concatenated bit string of data bits of the selected password andthe device-specific code in either one of a first order where data bitsfor the selected password are before data bits from the device-specificcode and a second order where data bits for the selected password areafter data bits from the device-specific code.
 18. The method as inclaim 15, further comprising: receiving a password from a userrequesting the recovery of the digital secret; accessing the device toobtain the device-specific code; combining the received password and theobtained device-specific code into a received input; transforming thereceived input into a temporary value by the first transformation;retrieving the secret-dependent digital segment from the persistentmemory of the device; and without a prior validation of the receivedpassword, using the temporary value and the retrieved secret-dependentdigital segment as inputs to a third transformation to compute a valueas a recovered secret.
 19. The method as in claim 18, wherein the devicecomprises a digital processor.
 20. The method as in claim 19, furthercomprising restricting the computation of the first transformation tothe digital processor.
 21. The method as in claim 15, wherein the deviceis portable.
 22. A method for protecting a digital secret, comprising:transforming a personalized input into a secret-independent digitalsegment according to a first transformation function, wherein a contentof the personalized input is independent of the digital secret; usingthe secret-independent digital segment and the digital secret as inputsto a second transformation function to produce a secret-dependentdigital segment which digitally conceals the digital secret, wherein athird transformation function exists to use the secret-independentdigital segment and the secret-dependent digital segment as inputs forrecovering the digital secret; storing the secret-dependent digitalsegment in a persistent memory; deleting the digital secret and thesecret-independent digital segment from each memory associated withcomputations of the first and second transformation functions;requesting a user who initiates the recovery to provide (1) thepersonalized input and (2) the secret-dependent digital segment forrecovering the concealed digital secret; and applying the computation ofthe third transformation function from a first input from the user inresponse to the request for the secret-independent digital segment and asecond input from the user in response to the request for thesecret-dependent digital segment to produce an output to the user,wherein the output reveals the digital secret to the user only when boththe first input matches personalized input and the second input matchesthe secret-dependent digital segment, wherein the first, the second, andthe third transformation functions are: (1) the first transformationfunction U=ƒ₁(password)=hash(password)+β, where hash ( ) is acollision-resistant hash function producing a positive integer for allinstances of the password and β is a constant non-negative integer; (2)the second transformation function V=ƒ₂(U, S)=(U+α×S) mod q, where U isan input value representing an output instance produced by the functionƒ₁, S is a positive integer representing an instance of the digitalsecret, q is a positive integer larger than all instances of the digitalsecret and also larger than hash(password) for all instances of thepassword, α is a positive integer relatively prime to q; and (3) thethird transformation S=ƒ₃(U, V)=(α⁻¹×V+((−(α⁻¹×U mod q)) mod q)) mod q,where U is an input value representing an output instance produced bythe function ƒ₁, V is an input value representing an instance of thesecret-dependent digital segment, q is the sufficiently large integer asdefined in ƒ₂, α is also as defined in ƒ₂, and α⁻¹ is the multiplicativeinverse of α, modulo q.
 23. The method as in claim 22, wherein thedigital secret comprises a cryptographic key.
 24. The method as in claim23, wherein the cryptographic key is a key in a symmetric cryptographicsystem.
 25. The method as in claim 23, wherein the cryptographic key isa private key of a key pair of a public key and the private key.
 26. Themethod as in claim 22, wherein the digital secret comprises anidentification code for access to a secured information system.
 27. Themethod as in claim 22, wherein the personalized input comprisespasswords, unique identifiers, location identification data, deviceidentification codes, randomly-generated numbers, or a combination ofthese data.
 28. The method as in claim 22, further comprising: after thecomputation of the third transformation function, performing avalidation process to verify the output of the computation.
 29. Themethod as in claim 28, wherein the validation uses verificationinformation that has a relationship with the digital secret.
 30. Anarticle comprising a machine-readable medium that storesmachine-executable instructions for protecting a digital secret, theinstructions causing a machine to: transform a user-selected password,which is independent of a digital secret to be protected, into atemporary value by a first transformation; use the temporary value andthe digital secret as inputs to a second transformation to produce asecret-dependent digital segment in a transitory memory; store thesecret-dependent digital segment in a persistent memory; delete thesecret-dependent digital segment from the transitory memory; delete thedigital secret and the temporary value from each memory associated withcomputations of the first and second transformations; receive a passwordand a secret-dependent segment from a user requesting the recovery ofthe digital secret; without a prior validation of the received password,use the received password and the received secret-dependent digitalsegment as inputs to a third transformation to compute a value as arecovered secret; validate the recovered secret with verificationinformation that has a relationship with the digital secret; anddetermine whether the received password matches the selected passwordand whether the received secret-dependent digital segment matches thesecret-dependent digital segment according to an outcome of thevalidating operation, wherein the first and second transformations areconfigured, respectively, as a first function ƒ₁ and a second functionƒ₂, and the third transformation is configured as a composite functionof ƒ₁ and a third function ƒ₃ in the sequence of computing ƒ₁ first andsubsequently computing ƒ₃, and wherein the first, the second, and thethird functions are as follows: (1) U=ƒ₁(password)=hash(password)+β,where hash( ) is a collision-resistant hash function producing apositive integer for all instances of the password and β is a constantnon-negative integer; (2) V=ƒ₂(U, S)=(U+α×S) mod q, where U is an inputvalue representing an output instance produced by the first function ƒ₁,S is a positive integer representing an instance of the digital secret,q is a positive integer larger than all instances of the digital secretand also larger than hash(password) for all instances of the password, αis a positive integer relatively prime to q; and (3) S=ƒ₃(U,V)=(α⁻¹×V+((−((α⁻¹×U) mod q)) mod q)) mod q , where V is an input valuerepresenting an instance of the secret-dependent digital segment, U, q,and α are as defined in ƒ₂, and α⁻¹ is the multiplicative inverse of α,modulo q.
 31. A computer system, comprising: means for transforming apersonalized input into a secret-independent digital segment accordingto a first transformation function, wherein a content of thepersonalized input is independent of the digital secret; means for usingthe secret-independent digital segment and the digital secret as inputsto a second transformation function to produce a secret-dependentdigital segment which digitally conceals the digital secret, wherein athird transformation function exists to use the secret-independentdigital segment and the secret-dependent digital segment as inputs forrecovering the digital secret; means for accessing a persistent memoryto store the secret-dependent digital segment; means for removing thesecret-dependent digital segment from the computer system; and means fordeleting the secret-independent digital segment and the digital secretfrom the computer system after completing computations of the first andsecond transformation functions, wherein the first, the second, and thethird transformation functions are: (1) the first transformationfunction U=ƒ₁(password)=hash(password)+β, where hash( ) is acollision-resistant hash function producing a positive integer for allinstances of the password and β is a constant non-negative integer; (2)the second transformation function V=ƒ₂(U, S)=(U+α×S) mod q, where U isan input value representing an output instance produced by the functionƒ₁, S is a positive integer representing an instance of the digitalsecret, q is a positive integer larger than all instances of the digitalsecret and also larger than hash(password) for all instances of thepassword, α is a positive integer relatively prime to q; and (3) thethird transformation S=ƒ₃(U, V)=(α⁻¹×V+((−(α⁻¹×U mod q)) mod q)) mod q,where U is an input value representing an output instance produced bythe function ƒ₁, V is an input value representing an instance of thesecret-dependent digital segment, q is the sufficiently large integer asdefined in ƒ₂, α is also as defined in ƒ₂, and α⁻¹ is the multiplicativeinverse of α, modulo q.
 32. The computer system as in claim 31, furthercomprising: means for requesting a user who initiates the recovery toprovide (1) the personalized input and (2) the secret-dependent digitalsegment for recovering the concealed digital secret; and means forcomputing the third transformation function from a first input from theuser in response to the request for the secret-independent digitalsegment and a second input from the user in response to the request forthe secret-dependent digital segment to produce an output to reveal thedigital secret to the user only when both the first input matchespersonalized input and the second input matches the secret-dependentdigital segment.
 33. The computer system as in claim 32, furthercomprising: means for performing a validation process to verify theoutput of the computation after the computation of the thirdtransformation function, wherein the validation uses verificationinformation that has a relationship with the digital secret.